exodus
exodus copied to clipboard
Exodus-Privacy
[Feature Request] Support popular unofficial F-Droid repos
The problem: Privacy conscious users frequently install apps from unofficial F-Droid compatible repositories. For example, https://guardianproject.info/fdroid/ for Tor Project software, EFF software, and other privacy software. There's currently no good way of knowing if tracking is being added or removed to builds in these repos.
Since these repos are all F-Droid compatible already, adding support to the submit for analysis page should be fairly straight forward. (Once Exodus can support just one unofficial F-Droid repo, it should be able to support them all.)
Here are some of the more popular F-Droid compatible repos used by privacy conscious people:
Antox https://pkg.tox.chat/fdroid/repo
Bitwarden https://mobileapp.bitwarden.com/fdroid/repo
Briar https://briarproject.org/fdroid/repo
Bromite https://fdroid.bromite.org/fdroid/repo
CalyxOS https://calyxos.gitlab.io/calyx-fdroid-repo/fdroid/repo
Firefox unofficial https://rfc2822.gitlab.io/fdroid-firefox/fdroid/repo
Guardian Project https://guardianproject.info/fdroid/repo
I2P https://f-droid.i2p.io/repo/
IzzyOnDroid https://apt.izzysoft.de/fdroid/repo/
Kali Nethunter https://store.nethunter.com/repo
KDE https://cdn.kde.org/android/fdroid/repo
microG https://microg.org/fdroid/
Molly https://molly.im/fdroid/repo
Newpipe https://archive.newpipe.net/fdroid/repo
Protox https://submarine.strangled.net/fdroid/repo
PurpleI2P https://fdroid.i2pd.xyz/fdroid/repo
Riot https://fdroid.krombel.de/riot-stable/fdroid/repo
Umbrella https://secfirst.org/fdroid/repo
Ungoogled Chromium https://www.droidware.info/fdroid/repo
(Larger and frequently updated list here: https://codeberg.org/mondstern/F-Droid-Paketquellen/wiki )
Potential Solution 1: (open-ended approach)
Allow users to pass an alternative repository URL (like https://guardianproject.info/fdroid/repo) in a text-entry field.
Pros:
- Supports all F-Droid compatible repos, past, present, and future
- Prevents requests for additional repo support
- User-summited repo data provides insights and trends on unofficial repo usage
Cons:
- Not terribly user-friendly (so, call it an "experimental" feature and collect submission info to improve it)
- Some submission sanitization will be necessary (as with any text submission field)
- Analysis results page will need to parse and display arbitrary repositories beyond F-Droid Official and Google Play
Potential Solution 2: (curated approach)
Start with one additional unofficial F-Droid repo (e.g. Guardian Project) and entertain requests for additional repos later. Pros:
- More user friendly
- Gets something shipped faster
- No need to deal with potential edge cases of other repos (ex. some repo has an unusually long url, etc.)
Cons
- Less user-choice
- Devs will have to field requests for additional repos (though this could be streamlined)
- Lacks the high-quality indicator of unofficial repo popularity provided in the open-ended solution.
Possible conflicts:
- This may effect or be dependent on the way #393 (F-Droid pulling beta versions) will be handled.
- Unofficial F-Droid repos differ in whether APKs their are built with automated CI or are simply user-submitted builds.
- Different repos may have identical naming and versioning for builds that are not-identical to builds from other repos.
Potential Solution 3
Simply run a cron job to scrape for updates from the XML pages for a list of repos and analyze everything in a queue.
The amount of apps in these repos is not that high. So this may actually be the easiest and most user-friendly solution.
Why do people trust one of the 20 different builds of Signal Messenger in the above repos over any other one? Should they be trusting repos maintained by random strangers on the internet? What would an analysis reveal about these questions?
